Merge pull request scratchfoundation#96 from cwillisf/notarize-mac-build

Notarize macOS build

Author: cwillisf

buildResources/entitlements.inherit.plist

@@ -4,6 +4,8 @@
 <dict>
 <key>com.apple.security.app-sandbox</key>
 <true/>
+<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+<true/>
 <key>com.apple.security.inherit</key>
 <true/>
 </dict>

buildResources/entitlements.plist

@@ -4,6 +4,8 @@
 <dict>
 <key>com.apple.security.app-sandbox</key>
 <true/>
+<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+<true/>
 <key>com.apple.security.device.audio-input</key>
 <true/>
 <key>com.apple.security.device.camera</key>

electron-builder.yaml

@@ -3,8 +3,10 @@ directories:
   output: dist
 appId: edu.mit.scratch.scratch-desktop
 productName: "Scratch Desktop"
+afterSign: "scripts/afterSign.js"
 mac:
   category: public.app-category.education
+  hardenedRuntime: true
   icon: buildResources/ScratchDesktop.icns
   provisioningProfile: embedded.provisionprofile
   target:

package-lock.json

@@ -38,6 +38,7 @@
     "electron": "^6.1.7",
     "electron-builder": "^22.2.0",
     "electron-devtools-installer": "^2.2.4",
+    "electron-notarize": "^0.2.1",
     "electron-store": "^3.3.0",
     "electron-webpack": "^2.7.4",
     "eslint": "^5.16.0",

package.json

@@ -0,0 +1,42 @@
+const {notarize} = require('electron-notarize');
+
+const notarizeMacBuild = async function (context) {
+    // keep this in sync with appId in the electron-builder config
+    const appId = 'edu.mit.scratch.scratch-desktop';
+
+    if (!process.env.AC_USERNAME) {
+        throw new Error(
+            'Notarizing the macOS build requires an Apple ID.\n' +
+            'Please set the environment variable AC_USERNAME.\n' +
+            'Make sure your keychain has an item for "Application Loader: [email protected]"'
+        );
+    }
+
+    const appleId = process.env.AC_USERNAME;
+    const appleIdKeychainItem = `Application Loader: ${appleId}`;
+
+    console.log(`Notarizing with Apple ID "${appleId}" and keychain item "${appleIdKeychainItem}"`);
+
+    const {appOutDir} = context;
+    const productFilename = context.packager.appInfo.productFilename;
+    await notarize({
+        appBundleId: appId,
+        appPath: `${appOutDir}/${productFilename}.app`,
+        appleId,
+        appleIdPassword: `@keychain:${appleIdKeychainItem}`
+    });
+};
+
+const afterSign = async function (context) {
+    const {electronPlatformName} = context;
+
+    switch (electronPlatformName) {
+    case 'mas': // macOS build for Mac App Store
+        break;
+    case 'darwin': // macOS build NOT for Mac App Store
+        await notarizeMacBuild(context);
+        break;
+    }
+};
+
+module.exports = afterSign;

scripts/afterSign.js

@@ -52,11 +52,20 @@ const runBuilder = function (targetGroup) {
     const platformFlag = getPlatformFlag();
     const command = `electron-builder ${platformFlag} ${targetGroup}`;
     console.log(`running: ${command}`);
-    spawnSync(command, {
+    const result = spawnSync(command, {
         env: childEnvironment,
         shell: true,
         stdio: 'inherit'
     });
+    if (result.error) {
+        throw result.error;
+    }
+    if (result.signal) {
+        throw new Error(`Child process terminated due to signal ${result.signal}`);
+    }
+    if (result.status) {
+        throw new Error(`Child process returned status code ${result.status}`);
+    }
 };
 
 /**
@@ -69,8 +78,10 @@ const calculateTargets = function () {
         // run in two passes so we can skip signing the appx
         return ['nsis', 'appx'];
     case 'darwin':
-        // run in one pass for slightly better speed
-        return ['dmg mas'];
+        // Running 'dmg' and 'mas' in the same pass causes electron-builder to skip signing the non-MAS app copy.
+        // Running them as separate passes means they both get signed.
+        // Seems like a bug in electron-builder...
+        return ['dmg', 'mas'];
     }
     throw new Error(`Could not determine targets for platform: ${process.platform}`);
 };